sftp without shell access

OpenSSH was the first version of the famous daemon that came with an built-in chroot functionality. Chrooting the sshd and restricting the shell access to a few commands can be a great solution to grant a few users secure access to exchange files.

1.vi /etc/ssh/sshd_config

Replace the line – “Subsystem sftp /usr/lib/openssh/sftp-server”  with –

Subsystem sftp internal-sftp

UsePAM yes

Match user user1
# The following two directives force user1 to become chrooted
# and only have sftp available.  No other chroot setup is required.
ChrootDirectory /sftp-upload
ForceCommand internal-sftp
# For additional paranoia, disallow all types of port forwardings.
AllowTcpForwarding no
GatewayPorts no
X11Forwarding no

2.  Now add a user as follows –

useradd -d /user1 -s /bin/false user1

cd /sftp-upload

mkdir user1

chown -R user1:user1 user1/

4. Restart your sshd daemon ( kill -HUP <sshd pid>

Non – standard only restrict shell access –

You want to allow a user to place files or folder on his/her home directory through sft client or winscp client but you don want to any kind of shell access. Here is a simple tricks to restrict this.

Just change his login shell to /usr/local/libexec/sftp-server (Solaris) or /usr/lib/openssh/sftp-server ( Linux).
Moreover if you want to restrict access over your sensitive data just disable the others read (r) and execute (x) perm of that files and folder.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: